0

I have 6 machines: 3 running RHEL 3 (Taroon Update 9) and 3 other running RHEL 5.6 (Tikanga).

They all share a NFS volume containing

  1. an Apache 2.2.4 installation
  2. that Apache's configuration files
  3. the PHP scripts and other content served by that Apache

On each machine, that shared Apache is started with the "-D $hostname" option to distinguish from the Apache instances running on the other machines. (Where $hostname is the hostname of the machine).

There is a load balancer (another Apache) in front of these 6 machines, balancing the requests between them.

The problem:

I've placed a .htaccess file in a directory containing these rules:

order deny,allow
deny from all
allow from my.very.own.ip

(I've tried the same rules in the configuration file between , with the same result)

Any request from any IP other than my.very.own.ip is denied by all 6 Apaches.

Requests from my.very.own.ip that hit the first 3 Apaches (running on RHEL 3) are accepted, which is normal.

Requests from my.very.own.ip that hit the last 3 Apaches (running on RHEL 5.6) are denied (HTTP 403, client denied by server configuration), which is not normal.

I've ran a strace on all the Apache servers (and their forked children) and this is how they look like:

- on a "good" Apache with request coming from my.very.own.ip

19553 read(7, "GET /my/website"..., 8000) = 1761
19553 gettimeofday({1343736878, 168708}, NULL) = 0
19553 gettimeofday({1343736878, 168787}, NULL) = 0
19553 gettimeofday({1343736878, 168835}, NULL) = 0
19553 stat64("/shark/apps/apache1/conf/www/maps/stationlist.txt", {st_mode=S_IFREG|0644, st_size=5557, ...}) = 0
19553 stat64("/shark/apps/apache1/conf/somedir/stationkidsurls.txt", {st_mode=S_IFREG|0644, st_size=6200, ...}) = 0
19553 stat64("/shark/www_docs/my/website/php/script.php", {st_mode=S_IFREG|0644, st_size=2449, ...}) = 0
19553 open("/shark/www_docs/.htaccess", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)
19553 open("/shark/www_docs/my/.htaccess", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)
19553 open("/shark/www_docs/my/website/.htaccess", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)
19553 open("/shark/www_docs/my/website/php/.htaccess", O_RDONLY|O_LARGEFILE) = 10
19553 fstat64(10, {st_mode=S_IFREG|0644, st_size=51, ...}) = 0
19553 read(10, "    order deny,allow\n    deny f"..., 4096) = 51
19553 read(10, "", 4096)                = 0
19553 close(10)                         = 0
19553 open("/shark/www_docs/my/website/php/script.php/.htaccess", O_RDONLY|O_LARGEFILE) = -1 ENOTDIR (Not a directory)
19553 getpid()                          = 19553
19553 setitimer(ITIMER_PROF, {it_interval={0, 0}, it_value={60, 0}}, NULL) = 0
19553 rt_sigaction(SIGPROF, {0x1280014, [PROF], SA_RESTORER|SA_RESTART, 0x3c10d8}, {0x1280014, [PROF], SA_RESTORER|SA_RESTART, 0x3c10d8}, 8) = 0
19553 rt_sigprocmask(SIG_UNBLOCK, [PROF], NULL, 8) = 0
19553 getcwd("/", 4095)                 = 2
19553 chdir("/shark/www_docs/my/website/php") = 0

- on a "bad" Apache with request coming from my.very.own.ip

1723  read(9, "GET /my/website"..., 8000) = 1761
1723  gettimeofday({1343736621, 548677}, NULL) = 0
1723  gettimeofday({1343736621, 548735}, NULL) = 0
1723  gettimeofday({1343736621, 548771}, NULL) = 0
1723  stat64("/shark/apps/apache1/conf/www/maps/stationlist.txt", {st_mode=S_IFREG|0644, st_size=5557, ...}) = 0
1723  stat64("/shark/apps/apache1/conf/somedir/stationkidsurls.txt", {st_mode=S_IFREG|0644, st_size=6200, ...}) = 0
1723  stat64("/shark/www_docs/my/website/php/script.php", {st_mode=S_IFREG|0644, st_size=2449, ...}) = 0
1723  open("/shark/www_docs/.htaccess", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)
1723  open("/shark/www_docs/my/.htaccess", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)
1723  open("/shark/www_docs/my/website/.htaccess", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)
1723  open("/shark/www_docs/my/website/php/.htaccess", O_RDONLY|O_LARGEFILE) = 12
1723  fstat64(12, {st_mode=S_IFREG|0644, st_size=51, ...}) = 0
1723  read(12, "    order deny,allow\n    deny f"..., 4096) = 51
1723  read(12, "", 4096)                = 0
1723  close(12)                         = 0
1723  open("/shark/www_docs/my/website/php/script.php/.htaccess", O_RDONLY|O_LARGEFILE) = -1 ENOTDIR (Not a directory)
1723  gettimeofday({1343736621, 550606}, NULL) = 0
1723  write(10, "[Tue Jul 31 08:10:21 2012] [erro"..., 159) = 159
729   <... read resumed> "[Tue Jul 31 08:10:21 2012] [erro"..., 65536) = 159
729   gettimeofday({1343736621, 550743}, NULL) = 0
729   gettimeofday({1343736621, 550786}, NULL) = 0

What do you think?

The only difference between these machines in the RHEL version. That may also mean that the NFS share ( /shark ) is mounted differently...

I've modified the .htaccess an changed the allow,deny rule with a Rewrite (requests not coming from my.very.own.ip are redirected to somewhere else). But... I'm still wondering why the same rules behave differently on different machines (same Apache, same configuration files).

Thank you!

Syl
  • 131
  • 1
  • 2
  • 4
  • It's possible that it's something you defined in the hostname-specific bits. Have you tried starting apache with `-D one.of.the.hostsnames.that.works`? Also, there's no extra NAT or anything that would change the IP of `my.very.own.ip`, correct? – dririan Aug 01 '12 at 15:56
  • I "switched" the hostnames of two Apache server (a "good" one with a "bad" one). The result was the same: the "good" kept reading the .htaccess very well, even if it's hostname has changed, while the "bad" one kept denying me if if it had the hostname of the "good" Apache. And there is no NAT issue. The IP is correctly displayed on all the Apache servers. Thank you! – Syl Aug 07 '12 at 07:42
  • dririan, I think it was a misunderstanding. I still don't know why 3 of the server work OK and the other 3 don't. It's not a NAT issue and switching the hostnames doesn't fix the problem. – Syl Aug 13 '12 at 13:54

0 Answers0